Analysis

  • max time kernel
    111s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 09:08

General

  • Target

    212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe

  • Size

    880KB

  • MD5

    0ae61fbe5369cf1bff062e29986d2920

  • SHA1

    12bb8851d08c99ba0f87598422d5cb681aa9b415

  • SHA256

    212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6

  • SHA512

    c35924633f285e554d98ebc5d6b5bb381e3831299837cdd62a18b5df479a725991989ebc0fb44080f0f45430b8986090df46cafb282ed7869e712eccf2b99b63

  • SSDEEP

    24576:YxesON826V84ViythW8GTFThS6qFHAOet3GstG2ReuVyh:Yxe826lViybCZiEE/h

Malware Config

Signatures

  • Detect Neshta payload 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
    "C:\Users\Admin\AppData\Local\Temp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp" /SL5="$40156,468623,97792,C:\Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\Win_ver.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\system32\find.exe
            find /i "6.2.9200"
            5⤵
              PID:2816
            • C:\Windows\system32\find.exe
              find /i "6.3.9600"
              5⤵
                PID:2824
              • C:\Windows\system32\find.exe
                find /i "10.0."
                5⤵
                  PID:2944
                • C:\Windows\system32\find.exe
                  find /i "6.1.7601"
                  5⤵
                    PID:2756
                  • C:\Windows\system32\find.exe
                    find /i "10.0.14393"
                    5⤵
                      PID:2812
                    • C:\Windows\system32\find.exe
                      find /i "10.0.15063"
                      5⤵
                        PID:2836
                      • C:\Windows\system32\find.exe
                        find /i "10.0.16299"
                        5⤵
                          PID:2892
                        • C:\Windows\system32\find.exe
                          find /i "10.0.17134"
                          5⤵
                            PID:1336
                          • C:\Windows\system32\find.exe
                            find /i "10.0.17763"
                            5⤵
                              PID:2500

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

                      Filesize

                      547KB

                      MD5

                      cf6c595d3e5e9667667af096762fd9c4

                      SHA1

                      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

                      SHA256

                      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

                      SHA512

                      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

                    • C:\Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\Version.txt

                      Filesize

                      40B

                      MD5

                      082f2e97e670228e3b323c6a3a874f40

                      SHA1

                      e50760edb5e88385449a44818f5726e5beed7aab

                      SHA256

                      292bf366a534157e5414f344218c9df828e2f211617fc84352f3ab2564050941

                      SHA512

                      ad96826fb4a9ad5296acf1136bd81348492b4e191ba7936fe515a254f7bb789ab7bb3b939a5b9094b0fdaca9b4ad0f0445034a6eb2d78bd1529c2e638eafbe91

                    • C:\Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\Win_ver.bat

                      Filesize

                      1KB

                      MD5

                      3cb6a90e67d6605abdc3602292e5ef2b

                      SHA1

                      bd80bd159e6033d3bb40bf262c1f8412a29c6893

                      SHA256

                      4b1a34abf4dc7a7b98507b1b37eae6a0da5ce951cde221ab426a56988b834f89

                      SHA512

                      bd0942de8ec0db64fccaa3dac9773a44f219a6eeaf5a969a55db8aa861e247c9a3ef1404ac59fe6addc198e87afc1721eb4fdd36f1b3df03277ec9bc8f6732bc

                    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                      Filesize

                      252KB

                      MD5

                      9e2b9928c89a9d0da1d3e8f4bd96afa7

                      SHA1

                      ec66cda99f44b62470c6930e5afda061579cde35

                      SHA256

                      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                      SHA512

                      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

                    • \Users\Admin\AppData\Local\Temp\3582-490\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.exe

                      Filesize

                      840KB

                      MD5

                      d7c6b9469a8ade82b4fcff029e9c30f7

                      SHA1

                      6266b2fa8358e55eb8957475202352f938791d04

                      SHA256

                      49ccd90828bb0908c40cd557212ceb6d1c4acdd867cb986c44148f4faea751b9

                      SHA512

                      b8c65ab2414ad06baba7e8271d6c0466abf562e6bdd4f03e31c8794f75e33200bdde12236edd12095c3251e9cc3c31df8007eb3f9cddd74baedf5c9da79bc9e4

                    • \Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\IsProgressBar.dll

                      Filesize

                      154KB

                      MD5

                      3aa93aebd65e6816be4829e57f58e0c2

                      SHA1

                      37ea752eae1ae3e3630776d26d09b446e86cf83a

                      SHA256

                      1e25cf231be401d20c332afc3e399ce4323340612cd8ef4ce344f080aab2c283

                      SHA512

                      7ff18e1b3405860fc8880b6c4cd85e15b9b68587436bbb2d3153154f571dd70a0d3f8ec651686478b2f66e7407ce7ab59cb81f35be9f8c8bcb7ab78e4c9de5f3

                    • \Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\Skin.cjstyles

                      Filesize

                      821KB

                      MD5

                      6afcf673714e1c0f88e443b07867cad7

                      SHA1

                      acf6a8927231ab1e47249a05d45c55b0d0133c38

                      SHA256

                      23801684937fd06d0d00b5321517e3869e7c614e3401099f1d040498c7147f89

                      SHA512

                      f40dc22b8c1a503ce0d68a691b28c715df5cf037a937bf4cb8e1942b774d74951da4863b2ca8fad31cf7033a99c9d54fb940a8e267d125f70a16e6b4e75143e5

                    • \Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\_isetup\_shfoldr.dll

                      Filesize

                      22KB

                      MD5

                      92dc6ef532fbb4a5c3201469a5b5eb63

                      SHA1

                      3e89ff837147c16b4e41c30d6c796374e0b8e62c

                      SHA256

                      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                      SHA512

                      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                    • \Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\descctrl.dll

                      Filesize

                      6KB

                      MD5

                      c0cce6e6ea0444b77d938671beb6269a

                      SHA1

                      480120d268d9bb763241301e95ee340c38b73e71

                      SHA256

                      9473cb7259c02a227cd61df613dacacbbd54b7ae1f465cd46feeeab7a74d0b41

                      SHA512

                      1bdfea634bbf0ed637ac7d28b315006e05db9fd70ee1ab855448d12ae9b3cfe226b54e064c289b3e3a9e46d182616ce55ddcb0b9ef53ad84f8d41a09cb469754

                    • \Users\Admin\AppData\Local\Temp\is-JF0O2.tmp\isskin.dll

                      Filesize

                      385KB

                      MD5

                      92c2e247392e0e02261dea67e1bb1a5e

                      SHA1

                      db72fed8771364bf8039b2bc83ed01dda2908554

                      SHA256

                      25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68

                      SHA512

                      e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5

                    • \Users\Admin\AppData\Local\Temp\is-SP4AA.tmp\212233c1038ede44ca3833081b8e6a4e75c656abe884aac412bef2b5b2dd51a6N.tmp

                      Filesize

                      943KB

                      MD5

                      603d510b304d2ebbc55d3cf4d049b6ff

                      SHA1

                      bd028110aa4d0179e3e04854c9279b0f5e2d895e

                      SHA256

                      0963beb22fe4b5d52bc5b10adc63c72a379a3bbed138273aeffa502ecc7feeb2

                      SHA512

                      8ea32b11988003ccf67dddfd3cb46edc8b6b8135e6aba2bb0251ff55a25224f94e5bae8c64199f8c5b8046bbb42d77c34f7a4d74058b5afe2a6d9238d4688475

                    • memory/1272-9-0x0000000000400000-0x000000000041F000-memory.dmp

                      Filesize

                      124KB

                    • memory/1272-12-0x0000000000401000-0x000000000040B000-memory.dmp

                      Filesize

                      40KB

                    • memory/2968-118-0x00000000755A0000-0x0000000075623000-memory.dmp

                      Filesize

                      524KB

                    • memory/2968-111-0x0000000075380000-0x0000000075392000-memory.dmp

                      Filesize

                      72KB

                    • memory/2968-56-0x0000000075740000-0x00000000757DD000-memory.dmp

                      Filesize

                      628KB

                    • memory/2968-57-0x00000000769B0000-0x0000000076A50000-memory.dmp

                      Filesize

                      640KB

                    • memory/2968-58-0x00000000761C0000-0x000000007624F000-memory.dmp

                      Filesize

                      572KB

                    • memory/2968-61-0x0000000074ED0000-0x0000000074F21000-memory.dmp

                      Filesize

                      324KB

                    • memory/2968-60-0x0000000075CC0000-0x0000000075D17000-memory.dmp

                      Filesize

                      348KB

                    • memory/2968-59-0x00000000763B0000-0x000000007650C000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/2968-37-0x0000000005270000-0x00000000052D8000-memory.dmp

                      Filesize

                      416KB

                    • memory/2968-75-0x0000000005270000-0x00000000052D8000-memory.dmp

                      Filesize

                      416KB

                    • memory/2968-86-0x0000000074F30000-0x0000000074F39000-memory.dmp

                      Filesize

                      36KB

                    • memory/2968-93-0x0000000076250000-0x00000000762CB000-memory.dmp

                      Filesize

                      492KB

                    • memory/2968-121-0x0000000005270000-0x00000000052D8000-memory.dmp

                      Filesize

                      416KB

                    • memory/2968-136-0x0000000074BF0000-0x0000000074C22000-memory.dmp

                      Filesize

                      200KB

                    • memory/2968-135-0x0000000074C30000-0x0000000074CBC000-memory.dmp

                      Filesize

                      560KB

                    • memory/2968-134-0x00000000755A0000-0x0000000075623000-memory.dmp

                      Filesize

                      524KB

                    • memory/2968-132-0x0000000074ED0000-0x0000000074F21000-memory.dmp

                      Filesize

                      324KB

                    • memory/2968-131-0x0000000075CC0000-0x0000000075D17000-memory.dmp

                      Filesize

                      348KB

                    • memory/2968-130-0x0000000074F60000-0x00000000750FE000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-129-0x0000000074F30000-0x0000000074F39000-memory.dmp

                      Filesize

                      36KB

                    • memory/2968-128-0x0000000075380000-0x0000000075392000-memory.dmp

                      Filesize

                      72KB

                    • memory/2968-127-0x00000000769B0000-0x0000000076A50000-memory.dmp

                      Filesize

                      640KB

                    • memory/2968-126-0x0000000010000000-0x0000000010060000-memory.dmp

                      Filesize

                      384KB

                    • memory/2968-125-0x0000000075570000-0x0000000075597000-memory.dmp

                      Filesize

                      156KB

                    • memory/2968-124-0x0000000075A80000-0x0000000075C1D000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-123-0x0000000075100000-0x00000000751F5000-memory.dmp

                      Filesize

                      980KB

                    • memory/2968-122-0x00000000749E0000-0x0000000074A19000-memory.dmp

                      Filesize

                      228KB

                    • memory/2968-20-0x0000000000400000-0x00000000004FF000-memory.dmp

                      Filesize

                      1020KB

                    • memory/2968-117-0x00000000753A0000-0x00000000753B3000-memory.dmp

                      Filesize

                      76KB

                    • memory/2968-115-0x0000000076250000-0x00000000762CB000-memory.dmp

                      Filesize

                      492KB

                    • memory/2968-114-0x0000000074ED0000-0x0000000074F21000-memory.dmp

                      Filesize

                      324KB

                    • memory/2968-113-0x0000000075CC0000-0x0000000075D17000-memory.dmp

                      Filesize

                      348KB

                    • memory/2968-112-0x0000000074F60000-0x00000000750FE000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-38-0x0000000000400000-0x00000000004FF000-memory.dmp

                      Filesize

                      1020KB

                    • memory/2968-110-0x00000000761C0000-0x000000007624F000-memory.dmp

                      Filesize

                      572KB

                    • memory/2968-109-0x00000000769B0000-0x0000000076A50000-memory.dmp

                      Filesize

                      640KB

                    • memory/2968-108-0x0000000075740000-0x00000000757DD000-memory.dmp

                      Filesize

                      628KB

                    • memory/2968-107-0x0000000010000000-0x0000000010060000-memory.dmp

                      Filesize

                      384KB

                    • memory/2968-106-0x0000000074950000-0x0000000074986000-memory.dmp

                      Filesize

                      216KB

                    • memory/2968-105-0x0000000075A80000-0x0000000075C1D000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-104-0x0000000075100000-0x00000000751F5000-memory.dmp

                      Filesize

                      980KB

                    • memory/2968-103-0x00000000749E0000-0x0000000074A19000-memory.dmp

                      Filesize

                      228KB

                    • memory/2968-102-0x0000000075290000-0x00000000752DC000-memory.dmp

                      Filesize

                      304KB

                    • memory/2968-101-0x0000000074A20000-0x0000000074BB0000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-100-0x0000000074BF0000-0x0000000074C22000-memory.dmp

                      Filesize

                      200KB

                    • memory/2968-99-0x0000000074E20000-0x0000000074E37000-memory.dmp

                      Filesize

                      92KB

                    • memory/2968-98-0x0000000074E40000-0x0000000074E78000-memory.dmp

                      Filesize

                      224KB

                    • memory/2968-97-0x00000000755A0000-0x0000000075623000-memory.dmp

                      Filesize

                      524KB

                    • memory/2968-92-0x0000000074ED0000-0x0000000074F21000-memory.dmp

                      Filesize

                      324KB

                    • memory/2968-91-0x0000000075CC0000-0x0000000075D17000-memory.dmp

                      Filesize

                      348KB

                    • memory/2968-87-0x0000000074F60000-0x00000000750FE000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-62-0x0000000076AA0000-0x00000000776EA000-memory.dmp

                      Filesize

                      12.3MB

                    • memory/2968-120-0x0000000074BF0000-0x0000000074C22000-memory.dmp

                      Filesize

                      200KB

                    • memory/2968-85-0x00000000763B0000-0x000000007650C000-memory.dmp

                      Filesize

                      1.4MB

                    • memory/2968-76-0x0000000074A20000-0x0000000074BB0000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-84-0x00000000761C0000-0x000000007624F000-memory.dmp

                      Filesize

                      572KB

                    • memory/2968-83-0x00000000769B0000-0x0000000076A50000-memory.dmp

                      Filesize

                      640KB

                    • memory/2968-82-0x0000000010000000-0x0000000010060000-memory.dmp

                      Filesize

                      384KB

                    • memory/2968-81-0x0000000075A80000-0x0000000075C1D000-memory.dmp

                      Filesize

                      1.6MB

                    • memory/2968-78-0x0000000075100000-0x00000000751F5000-memory.dmp

                      Filesize

                      980KB

                    • memory/2968-74-0x0000000074BF0000-0x0000000074C22000-memory.dmp

                      Filesize

                      200KB

                    • memory/2968-73-0x00000000757E0000-0x000000007580A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2968-72-0x0000000074C30000-0x0000000074CBC000-memory.dmp

                      Filesize

                      560KB

                    • memory/2968-71-0x0000000074CC0000-0x0000000074DDC000-memory.dmp

                      Filesize

                      1.1MB

                    • memory/2968-70-0x0000000074E40000-0x0000000074E78000-memory.dmp

                      Filesize

                      224KB

                    • memory/2968-413-0x0000000000400000-0x00000000004FF000-memory.dmp

                      Filesize

                      1020KB

                    • memory/2968-426-0x0000000005270000-0x00000000052D8000-memory.dmp

                      Filesize

                      416KB